Solved

AD DNS - I can ping some ip's but not others

Posted on 2008-10-15
22
850 Views
Last Modified: 2012-05-05
I have a AD forrest with 1 Domain and 7 Subdomains.
I'm using AD integrated DNS
One of my subdomains has 2 sites
I created a OU within the subdomain that houses all of the 2nd sites servers, users etc.
I can ping servers and workstations to all domains from the 2nd site, except for a few. I don't know what's stopping me from pinging our "internet filter" from this site. I can ping something within the same IP range, like 192.168.xx.11, but not 192.168.xx.12...

0
Comment
Question by:bernardb
  • 12
  • 10
22 Comments
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

You can't ping by IP address?

Or is it Name Resolution that's at fault? That is, if you run "nslookup <host>" does it reply?

Can you connect to other services on the server? Anything running as TCP can be tested with telnet <servername> <port>. For example, we can test a connection to an SMTP server with "telnet server 25", or a web server with "telnet server 80". In most cases a successful connection is shown by a blank screen, anything but an error message is good :)

Chris
0
 

Author Comment

by:bernardb
Comment Utility
Also, from all other domains, when I ping the filter I get the following
filter.domain.com

when I ping from the problem site, I get

filter.subdomain.domain.com

it should be filter.domain.com
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

Does filter exist as a record in DNS in subdomain? Or does a wildcard exist (*)? Or is WINS forwarding enabled for subdomain?

I take it you get the wrong IP back in subdomain?

Chris
0
 

Author Comment

by:bernardb
Comment Utility
I can't ping 192.168.xx.50 from this specific site, but I can from all other domains and sites.
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

Then the problem isn't DNS, it's network level. Something is blocking ICMP, you need to check any Firewalls between the client and the server, and any firewalls running on the server.

Chris
0
 

Author Comment

by:bernardb
Comment Utility
Could the following entries block ICMP?

access-list acl_inside permit tcp 192.168.xx.0 255.255.255.0 host 192.168.xx.10 eq 8080
access-list acl_inside permit tcp 192.168.xx.0 255.255.255.0 host 192.168.xx.10 range 8888 8889
access-list acl_inside permit tcp 192.168.xx.0 255.255.255.0 host 206.90.xx.245 eq 8080
access-list acl_inside permit tcp 192.168.xx.0 255.255.255.0 host 206.90.xx.245 range 8888 8889

it's the only entries that are associated with the problem site

0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

No, but they don't permit it either :)

Chris
0
 

Author Comment

by:bernardb
Comment Utility
I may have missed the following I can ping and get the following from the other sites
ping 192.168.xx.50
I get good replies and it shows up as "filter.domain.com"

when I ping from the problem site, I get
ping filter.subdomain.domain.com
I get request time outs and it shows up as "filter.subdomain.com"

it should be filter.domain.com

Make sense? Hope I'm explaining fully
0
 

Author Comment

by:bernardb
Comment Utility
Only one firewall...a PIX with the entries shown. No firewalls on the servers or clients...

access-list acl_inside permit tcp 192.168.xx.0 255.255.255.0 host 192.168.xx.10 eq 8080
access-list acl_inside permit tcp 192.168.xx.0 255.255.255.0 host 192.168.xx.10 range 8888 8889
access-list acl_inside permit tcp 192.168.xx.0 255.255.255.0 host 206.90.xx.245 eq 8080
access-list acl_inside permit tcp 192.168.xx.0 255.255.255.0 host 206.90.xx.245 range 8888 8889
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

But is the IP address returned from filter.subdomain.domain.com correct or not?

Take name resolution out and concentrate on the network layer if it is, if it's not we need to know why subdomain is giving a response for "filter".

Chris
0
 

Author Comment

by:bernardb
Comment Utility
Yes, the IP address returned from filter.subdomain.domain.com is the correct IP.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

Okay, good :) I did want to be sure about that.

Can you telnet to port 8080 on the server? That will tell us if IP flows properly, if routing is correct.

Chris
0
 

Author Comment

by:bernardb
Comment Utility
Telnet appears to fail with connection refused from all domains...I tried command line and Putty.

telnet 192.168.xx.50 8080 - connection refused, no matter what site or domain i'm trying it from

Putty, same thing...

But I can ping from the other domains and can't from this site....but telnet fails on all of them
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

Then TCP isn't flowing either. Tracert <ip> and see if the path looks correct?

If you have a number of firewalls inbetween the sites check the routing, check NAT and check the rule-set.

Chris
0
 

Author Comment

by:bernardb
Comment Utility
The trace fails to this IP but not to the other. Only one firewall device...and the only connection to
10.203.xxx.50- it goes out my gateway to the service provider and then
U:\>tracert 10.203.xxx.50

Tracing route to iprism.xxxxxxx.org [10.203.xxx.50]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  192.168.xxx.1
  2    20 ms    18 ms    34 ms  h-67-100-228-74.nycmny83.covad.net [67.100.xxx.
4]
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.
 10     *        *        *     Request timed out.
 11     *        *        *     Request timed out.
 12     *        *        *     Request timed out.
 13     *        *        *     Request timed out.
 14     *        *        *     Request timed out.
 15     *        *        *     Request timed out.
 16     *        *        *     Request timed out.
 17     *        *        *     Request timed out.
 18     *        *        *     Request timed out.
 19     *        *        *     Request timed out.
 20     *        *        *     Request timed out.
 21     *        *        *     Request timed out.
 22     *        *        *     Request timed out.
 23     *        *        *     Request timed out.
 24     *        *        *     Request timed out.
 25     *        *        *     Request timed out.
 26     *        *        *     Request timed out.
 27     *        *        *     Request timed out.
 28     *        *        *     Request timed out.
 29     *        *        *     Request timed out.
 30     *        *        *     Request timed out.

Trace complete.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
The other trace to a server at the same location as the above appliance goes through fine.

U:\>tracert 10.203.xxx.45

Tracing route to chcsfp01.xxxxxx.org [10.203.xxx.45]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  192.168.xxx.1
  2    18 ms    19 ms    18 ms  h-67-100-228-74.nycmny83.covad.net [67.100.xxx.7
4]
  3    20 ms    19 ms    19 ms  chcsfp01.xxxxxxx.org [10.203.xxx.45]

Trace complete.
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

Well it's going to the same gateway, can we check on h-67-100-228-74.nycmny83.covad.net?

Chris
0
 

Author Comment

by:bernardb
Comment Utility
Covad says they will check, but it doesn't look like them...the Covad Tech couldn't specify, but he thinks it's a DNS issue He said  because I get a successful ping and trace to a server in the same subnet and location....I stumped at the moment
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

But if the IP returned is the same, or you can't ping / trace when only using IP then DNS is completely out of the window. As soon as you get the IP back DNS is finished.

Chris
0
 

Author Comment

by:bernardb
Comment Utility
So sorry for the delayed response...
So you say because it shows "Pinging iprism.xxxxxx.xxxxxx.org [10.203.xxx.50] with 32 bytes of data:"...it eliminates DNS?


U:\>ping iprism

Pinging iprism.xxxxxx.xxxxxx.org [10.203.xxx.50] with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 10.203.xxx.50:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
Comment Utility

If the IP is correct the DNS cannot be to blame because it's done it's job properly :)

That puts us back at troubleshooting the network level, because that shouldn't be remotely interested in the name used to access a resource.

Chris
0
 

Author Comment

by:bernardb
Comment Utility
I will continue to troubleshoot...and keep you updated. Thanks for you help and if you can think of anything at the network level to check, I will.

Thanks again
0
 

Author Closing Comment

by:bernardb
Comment Utility
Thank you for all of your help...The problem was my fault. The device was a internet filter located at another site. When filled out the network section, I left out a number.....I slowly went over each setting and noticed it...My apologies.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

I wrote this article to explain some important DNS concepts that should be known to avoid some typical configuration errors I often see in forums. I assume that what is described here is the typical behavior of Microsoft DNS client. I don't know …
There have been a lot of times when we have seen the need to enter a large number of DNS entries in a forward lookup zone. The standard procedure would be to launch the DNS Manager console, create the Zone and start adding new hosts using the New…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now